On Tue, 2005-08-02 at 18:18 -0300, Carlos Zottmann wrote:
> Hi !!
>
> We are having some problems with our domain controllers that is
> slowing down squid during peak ours, due to ntlm authentication.
>
> We considered changing the value of Max_Challeng_Reuse from 0 to some
> higher value, in order to decrease the load on the domain controllers
> coming from squid, but I would like to know what are the possible
> consequences, specially regarding performance, before actually
> commiting this change.
With max_challenge_reuse set to anything but 0, squid will perform a
replay attack on the NTLM authentication to increase authentication
performance.
Everything should work more or less fine (if you see failed auths you
may want to enable the helper-fail-open config option and helper flag -
be warned that doing so is a security compromise).
Also be aware that support for that feature is being removed from
squid-3.
Kinkie
